This blog is a complement to Georgetown University's COSC-011 Introduction to Information Privacy.

Tuesday, March 30, 2010

How I’d Hack Your Weak Passwords

CEO of web company iFusion Labs and blogger John Pozadzides provides an entertaining read about password security on Lifehacker.com ...

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let's see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I'll probably get into all of them.

Your partner, child, or pet's name, possibly followed by a 0 or 1 (because they're always making you use a number, aren't they?)

The last 4 digits of your social security number.

123 or 1234 or 123456.

"password"

Your city, or college, football team name.

Date of birth – yours, your partner's or your child's.

"god"

"letmein"

"money"

"love"

Statistically speaking that should probably cover about 20% of you. But don't worry. If I didn't get it yet it will probably only take a few more minutes before I do…

The rest of this article provides an in depth explanation of various tools and techniques used by hackers to steal user password, but more importantly Mr. Pozadzides recommendations on how you can improve your password security. Read the rest of the article here.

5 comments:

Marisa W.
said...

Mr. Pozadzides makes some great points regarding the need for strong passwords. The top 10 list was a certainly an eye opener. One of my friends actually uses the first two – her pet’s name and the numbers “123” – as her password for multiple logins, including access to her computer. Even if she had not already shared her password with me (behavior that the article does not discuss but is certainly something to avoid), I would have easily been able to figure it out, as would have her 20 or so of her closest friends who know her pet’s name.

However, there are a few things left unaddressed in the article. While I agree strong passwords are important, Pozadzides chooses to highlight points that scare the reader and neglects to mention certain things that may keep our passwords more safe than he implies. The first half of the article discusses the ease at which a brute force attack can allow hackers to detect your password. Certainly this is easily done in some cases, particularly with weaker passwords, but he does not consider that many of the larger websites we use that hold important personal information limit the number of login attempts or, if the user has tried to log in too much, they must successfully complete a word verification to proceed. Running a program to hack in at these sites would not work because they would be restricted to a small number of attempts. Even without a program, it might only take 20-30 tries to find my friend’s weak password, but it could take days or weeks to figure it out because if I do not put in the exact password after 3 or so attempts, I would not be able to try again until the next day. In general, however, I agree with Pozadzides point that with passwords it is better to be safe than sorry.

Strong passwords are incredibly important, but some may read this article and think that they are completely secure as long as their password is difficult to guess. There are other aspects of password security that should be examined. For example, no matter the strength of a password or how often it is changed, a keylogger will easily record any password that is typed in. I would be interested to know if there are any documented suggestions on protecting oneself from such an attack.

In his article “How I’d Hack Your Weak Passwords,” John Pozadzides demonstrates the ease with which hackers can steal one’s password, and advocates for the public to create difficult to deduce passwords for each online account. However, I wonder about the practicality of creating tough to remember code words for every individual file with today’s online banking, email, blog sites and online shopping. While I agree that one should not use easily deduced passwords such as pet’s names, nicknames or birthdates; I believe it is more realistic to create just a few tough passwords for specific types of accounts. For instance, the toughest password to decode should be applied to one’s accounts with the most confidential information, followed by a special password for online banking, followed by a code for email and one for online shopping accounts.

While one runs the risk of a hacker obtaining all one’s personal information if one recycles passwords; I believe the privacy invasion risk is small compared to the hindrance of trying to remember a dictionary of difficult passwords for every account. There is always the danger that one will forget a catalog of passwords, and if one writes them down; the security of the password is breached. Indeed, a variety of methods have been proposed to create and memorize hard to crack passwords. In one article I read, it was suggested that the web user find a common phrase such as “I like ice cream” and abbreviate it---taking each word’s first letter to form “ilic” or removing vowels to become “lkccrm;” the longer the phrase the better as it will be harder to decode. Yet, while this method may produce passwords which are difficult to decipher; it seems impractical. One would have to go through the tedious process of revisiting multiple sentences just to recall each account’s code—“ice begins with ‘I”—and so on.

Moreover, if one forgets one’s glossary of passwords, one is forced to click the infamous “forgot your password?” space online. From here, one either has to go through a screening process to determine one’s identity, and wait for an email with the forgotten password; or one has to initiate a new password, which defeats the purpose of having one. And while the automatic password entering systems, 1Passoword and Roboform, do solve the problem of password memorization; they are not invulnerable to attack. While passwords are encrypted in these systems, hackers can decrypt them using a cracker program or dictionary maker.

Ultimately, with today’s technology, there are a variety of methods that can compromise one’s privacy online. Keyloggers (which remember key strokes), encryption software, and phishing emails all endanger one’s online confidentiality. Therefore, it seems the risk is the same whether one reuses a few difficult passwords or uses a laundry list for every individual account. For even Ponzadzides admits that if one adds a few extra characters, numbers or capital letters to a password, it will make it more difficult to “crack.” While I certainly wish to protect my privacy; I believe encumbering oneself with dozens of impossible-to-remember passwords is simply overkill.

I really found this article by John Pozadzides to be an eye opener! People definitely are too careless with what they choose for their passwords and one’s carelessness can lead to one being cyber attacked without knowing. The article tries to pinpoint that the danger is not necessarily in what one chooses for a password but with the complexity of the characters which one chooses. Password generators don’t necessarily work with direct personal information but instead thousands of common character guesses. But in my opinion, how much can we really do to encourage people to choose strong passwords. I pulled up an article from the New York Times which talks about Googles new Gmail security measures. The article was entitled “Google Alerts Gmail Users to Suspicious Logins.” Like Posadzide’s article, the New York Times article expresses the ease of cybercriminals to maliciously crack passwords and compromise identities. I get the sense that Google realizes that they can only do so much to encourage people to choose strong passwords. Therefore instead of trying to target the problem of weak passwords they are trying to find a way to alert people in the event that their password is obtained by an illegitimate user. Google takes note of the I.P. address of the registered user’s computer(s) and sends indicators to the user if a simultaneous login were to occur or if a computer with a strange or foreign I.P. address were to log in. Also, Google boosted the security of it’s Gmail users by using Hypertext Transfer Protocol Secure or HTTPS. This new technology encrypts all the traffic it carries ad protects users from snoops who might try to capture their information as it moves across a network. So ultimately, it may be more effective to upgrade security measures by notifications and technology than to encourage people to make stronger passwords.....

This was fascinating! I especially enjoyed the disclaimer that this was not intended to instruct people on how to hack. The chart that had various times to break a password was also of key interest, as there's an inherent inconvenience in that typing in a longer password/caps/symbols for a site you visit everyday can be annoying (though obviously less annoying than having your credit card information stolen!) I guess that may be a reason for the password guidance so many sites have, requiring symbols, caps, numbers, minimum number of characters, etc. I don't recall which site specifically, but somewhere I have an account (it may in fact be gmail) assesses your password's strength as you are composing it - I would be interested to see their formula and the relative weights they place on the various formats described by Mr. Pozadzides. His mentions of the top ten most common passwords seem like common sense and were in many ways surprising that people still use such passwords, but the biggest stumbling block for me is the issue of not using one password for everything.Quite honestly, I use variations and expansions of the same password that was assigned with my email freshman year of high school. So do my sisters and many of my friends. I always think that because they are such random combinations (although at this point we all know each others basic codes, they just don't know which add-ons I am currently using) that no one will try to break them. Given how many different sites and logins I utilize on a given day (upwards of a dozen) it would be highly inconvenient, not to mention torture on my memory to remember different passwords for each. While the warning against using one password was troubling, it was honestly not enough to convince that I need a different password for everything. Am I plying with fire? maybe. Can I remember a multitude of passwords daily? No way

I found this article very interesting and alarming at the same time because I'm also one of those people who use fairly easy passwords over and over to many differt accounts of mine. These days,I often get a warning notice from many websites to upgrade my passwords to more complicated ones, but i often find it unnecessary to do so and ignored their warnings immediately. I bet many people are doing the same thing as I am without reazling the danger of being hacked easily due to their simple passwords. Some accounts actually require people to make their passwords to be much more complicated to avoid being hacked. I think this really helps ppl to stay away from simple passwords although it makes ppl like me often forget their passwords. As I tried to vary my passwords, often times I got confused which passwords I used for which accounts. However, keeping the easy and simple passwords just to make it easier for you to remember also means that you are making it easier for other people to hack your passwords. I was kind of shocked when I read the news on how some celebrities hacked into other celebs twitter to update some funny posts as April Fool's pranks. Although it was definately done for fun, what it's telling us is that those celebs' passwords were simle enough for their friends to figure out without much knowledg on hacking. What if this hacking incident was done not for fun but for crimes or any other bad motives? Before being one of those victims, people must upgrade thier passwords to much more difficult ones.

About Me

In my spare time I am an Adjunct Professor in the Computer Science Department at Georgetown University in Washington, DC. This blog chronicles our class discussion and applies theories of Information Privacy and Security to everyday events.